PowerShell and QADUser

PowerShell and QADUser

A company called Quest provides an extra snap-In for PowerShell. The idea
is for these Active Directory cmdlets to work alongside the native PowerShell
commands. As a result we can examine users' properties, and with care,
change values and even reset their passwords.

Note 1: There is a rich seam of verbs that you can apply to
QADUser. You can examine the user with 'get', then configure them with 'set', 'enable'
or 'unlock'. To facilitate a bulk import of users from a spreadsheet
there is also, 'new-QADUser'.

Objective: To Get Information About Active Directory Users

Let us assume that you
have fulfilled the above pre-requisites, now there are just two things to
do before my scripts will work:

a) Connect to Active Directory, best would be to logon at a domain controller
in a test network. Remote connection works well, and you could try
Virtual PC for your test network.

b) Find the variable $OU in my script(s); then amend its value to reflect
your domain and your Organizational Unit. You many need a little
extra work with Active Directory Users and Computers in creating an OU and a handful of users.

Note 1: -SearchRoot is the parameter which
connects to Active Directory.

Note 2: You did change the value of $OU -
didn't you? Also Remember that these QAD cmdlets don't exist in the initial PowerShell
install, they are only available after you successfully run: add-PSSnapin
quest.activeroles.admanagement. If your script does not work refer
back to the pre-requisites.

Note 3: DN, SID, GUID, UPN or Domain\UserName

Guy Recommends: SolarWinds' Free Bulk Import Tool

Import users from a spreadsheet. Just provide a list of the
users with their fields in the top row, and save as .csv file.
Then launch this FREE utility and match your fields with AD's
attributes, click and import the users.

Note 1: I suggest you try my parallel learning
technique, and match the user properties revealed by QADUser, with the
property sheet that you see in Active Directory Users and Computers.

Note 2: PowerShell's help tells us that you can
connect to an individual user if you know their: Domain\UserName, DN
(Distinguished name) or UPN (victim@yourdom.com).

Example 2b: How to List a User's Property with Get-QADUser

As with many of my scripts, there are two learning threads in this example, a real-life
objective (Listing user properties) and also learning PowerShell
techniques
(Piping and word-wrap).

Important Preparation: Change the value of $OU.
"YourDomName/YourOu" is unlikely to work on your domain, so adjust this
value. Any doubts of the name, consult your Active Directory Users and Computers.

SolarWinds'
Network Performance Monitor
will help you discover what's happening on your network. This
utility will also guide you through troubleshooting; the dashboard will
indicate whether the root cause is a broken link, faulty equipment or
resource overload.

What I like best is the way NPM suggests solutions to network
problems. Its also has the ability to monitor the health of individual VMware
virtual machines. If you are interested in troubleshooting, and creating
network maps, then I recommend that you try NPM now.

My objectives here are twofold, firstly, to practice scripting Active
Directory in a relatively harmless fashion. For instance, changing a user's
property called 'DisplayName' is less intrusive than changing their password.

Secondly, if we add a text string to displayName then we
have a 'handle' to filter Active Directory. Just to emphasise that
the benefit of having a known value for displayName is that we have an extra control to prevent
a rogue script changing everybody's password.

Important Preparation: As with example 2, you
need to edit the this line:$OU = "YourDomName/YourOu"

Here is a script which sets the password for users. The
variable $OU specifies the precise location of the user accounts
targeted in your
domain.

Be aware: This script has two safety catches. Firstly, it
changes only users with a particular value for DisplayName; secondly I use
the -whatIf parameter to test the output.
If the script does as you wish, then remove the last line.

Note 1: Set-QADUser has different properties
from Get-QADUser, for example, 'set' has a property called -userPassword.

Note 2: As mentioned previously, this script
has 'where-Object' clause which acts an extra check that you are changing the
users with a particular displayName. Once you understand how this
script works, you could remove the 'where-Object' clause.

Guy Recommends: SolarWinds Engineer's Toolset v10

This
Engineer's Toolset v10 provides a comprehensive console of 50 utilities
for troubleshooting computer problems. Guy says it helps me
monitor what's occurring on the network, and each tool teaches me more about how the
underlying system operates.

There are so many good gadgets; it's like having free rein of a
sweetshop. Thankfully the utilities are displayed logically: monitoring,
network discovery, diagnostic, and Cisco tools. Try the SolarWinds Engineer's Toolset now!

Note 2: Setting 'userMustChangePassword 1' looks
easy, and seems logical enough. However, I only hit upon this value of
numeric one after failing with = "Yes", True, and "1". You need just
plain 1 with no
speech marks, and no equals sign.

Note 3: Observe just how I just appended
the -userMustChangePassword parameter. Did I use a comma?
No. A semi-colon? No. Just straightforward
userMustChangePassword 1.

Warning: If you are not sure of what's
happening here, I strongly recommend that you append -whatIf.

For those who know what they are doing it is possible to create a
script which changes all Active Directory accounts. The secret is
to persuade the script to start at the domainRoot/. The way you
achieve this dangerous task is to shorten the line:$OU = "YourDomName/YourOu",
to $OU = "YourDomName/".

The result would be a script which could 'get', or 'set' all the
accounts.

Summary of PowerShell QADUser

There is a whole family of QADUser commands each preceded with a different verb. The two
cmdlets that I
feature on this page are 'get' and 'set'. As for learning
progression, research how to extract existing properties, then try
'setting' innocuous properties such as DisplayName. Once you have
mastered the basics and stumbled upon the 'WhatIf, then you can tackle
real tasks such as changing users' passwords.